ANY.RUN Publishes In-Depth Technical Analysis of GorillaBot, a Mirai-Based Botnet Targeting Over 100 Countries

DUBAI, DUBAI, UNITED ARAB EMIRATES, March 25, 2025 /EINPresswire.com/ -- ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has published a comprehensive technical breakdown of GorillaBot, a newly discovered botnet based on the infamous Mirai source code. The botnet has already launched over 300,000 attacks globally and is actively targeting sectors including telecommunications, finance, and education.

𝐀 𝐍𝐞𝐰 𝐅𝐚𝐜𝐞 𝐨𝐟 𝐚𝐧 𝐎𝐥𝐝 𝐓𝐡𝐫𝐞𝐚𝐭

GorillaBot reuses significant portions of Mirai’s original code but introduces its own enhancements, including custom encryption schemes, raw TCP communication, and advanced anti-analysis techniques.

It stands out for its ability to evade detection in containerized environments and honeypots, making it a more elusive threat than its predecessors.

𝐊𝐞𝐲 𝐓𝐚𝐤𝐞𝐚𝐰𝐚𝐲𝐬 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬

· 𝗕𝘂𝗶𝗹𝘁 𝗼𝗻 𝗠𝗶𝗿𝗮𝗶 𝗰𝗼𝗱𝗲: GorillaBot heavily reuses core logic from Mirai while introducing its own improvements.

· 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗖𝟮 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻: Utilizes raw TCP sockets and a custom XTEA-like cipher for encrypting server addresses and communication.

· 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗺𝗲𝗰𝗵𝗮𝗻𝗶𝘀𝗺: Combines a decrypted hardcoded array and a server-provided magic value, then hashes it with SHA-256 for authentication.

· 𝗘𝘃𝗮𝘀𝗶𝗼𝗻 𝘁𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀: Performs environment checks to avoid honeypots and Kubernetes containers, exiting immediately if detected.

· 𝗔𝗻𝘁𝗶-𝗱𝗲𝗯𝘂𝗴𝗴𝗶𝗻𝗴 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿: Uses TracerPid checks and SIGTRAP handling to avoid analysis tools.

· 𝗢𝗯𝗳𝘂𝘀𝗰𝗮𝘁𝗶𝗼𝗻 𝘁𝗮𝗰𝘁𝗶𝗰𝘀: Encrypts internal configuration using a Caesar cipher and a custom block cipher.

To explore the full technical breakdown of GorillaBot, including behavior analysis, code insights, and relevant IOCs visit the ANY.RUN blog.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN is a cloud-based cybersecurity platform used by over 500,000 professionals worldwide. It offers an interactive malware sandbox along with powerful threat intelligence capabilities, enabling real-time behavioral analysis across Windows, Linux, and Android environments. From dynamic analysis to uncovering IOCs and tracking threat actors, ANY.RUN helps security teams investigate threats faster, collaborate more effectively, and stay ahead of emerging malware.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
X
LinkedIn